Albert Widjaja
asked on
Organization Preparation FAILED The ErrorRecord: Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed
Hi people,
I'm having some problem with the following error message when executing the Exchange Server 2010 SP3 installation on my Schema Master domain controller under my admin account:
I'm trying to delete the "Microsoft Exchange Security Groups" in AD Users & Computers console with advanced view, but somehow the search returns no result ?
Any help and suggestion would be appreciated muchly.
Thanks.
I'm having some problem with the following error message when executing the Exchange Server 2010 SP3 installation on my Schema Master domain controller under my admin account:
Organization Preparation FAILED The following error was generated when "$error.Clear();
initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".
I'm trying to delete the "Microsoft Exchange Security Groups" in AD Users & Computers console with advanced view, but somehow the search returns no result ?
Any help and suggestion would be appreciated muchly.
Thanks.
Hi ITSystemsEngineer,
So are you upgrading from a previous version of Exchange 2010? If so, the only schema update you need to do is.
Setup.com /PrepareAD
You don't need to run any of the others. Check out my blog post on upgrading to SP3 here.
https://supertekboy.com/2014/05/01/exchange-2010-installing-service-pack-3/
I would also recommend NEVER moving or deleting the Exchange Security Groups.
So are you upgrading from a previous version of Exchange 2010? If so, the only schema update you need to do is.
Setup.com /PrepareAD
You don't need to run any of the others. Check out my blog post on upgrading to SP3 here.
https://supertekboy.com/2014/05/01/exchange-2010-installing-service-pack-3/
I would also recommend NEVER moving or deleting the Exchange Security Groups.
ASKER
Hi Gareth,
I'm trying to update SP2 to SP3 and yes, I only try to execute the "Setup.com /PrepareAD" command in the AD/DC Schema master role but it is failed.
The AD security group is not exist in the ADUC console ?
I'm trying to update SP2 to SP3 and yes, I only try to execute the "Setup.com /PrepareAD" command in the AD/DC Schema master role but it is failed.
The AD security group is not exist in the ADUC console ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well it doesn't exist in the root domain. but somehow setup.com complains that it exist in AD eventhough I can't see it anywhere.
Yes this is just a single domain forest. I don't have multiple.
split-AD permissions? what is that ? I'm new to Exchange Server 2010
My account is already granted or member of the Enterprise, Domain and Schema admins.
Yes this is just a single domain forest. I don't have multiple.
split-AD permissions? what is that ? I'm new to Exchange Server 2010
My account is already granted or member of the Enterprise, Domain and Schema admins.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks fo the reply Amit.
Since I'm running the setup.com from the DC using RDP, so do I have to run "ServerManagerCmd -i RSAT-ADDS" ?
My problem is in the missing Exchange AD Security group which stops me in continuing the SP3 upgrade.
Since I'm running the setup.com from the DC using RDP, so do I have to run "ServerManagerCmd -i RSAT-ADDS" ?
My problem is in the missing Exchange AD Security group which stops me in continuing the SP3 upgrade.
If you are running from DC, then you don't need it. Did you try to ran cmd as administrator and tried.
ASKER
Yes I have already tried with the Run as Administrator.
not sure as to why this missing security group stopping me from installing SP3 :-/
not sure as to why this missing security group stopping me from installing SP3 :-/
That is an important group, you run prepare domain first using sp2 and then try again.
ASKER
ok, so in Exchange Server 2010 environment (all SP version), does that group MUST exist in the Active Directory Users & Computers console under the domain.com ?
My understanding is that it was only needed for Exchange Server 2007 but not 2010.
Why do I have to run it using the older setup files on my working production servers ?
My understanding is that it was only needed for Exchange Server 2007 but not 2010.
Why do I have to run it using the older setup files on my working production servers ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gareth,
I cannot see it under my Member Of tab. When I run the Exchange BPA, the wizard result reports that the group is empty.
However, I can still add myself into the group using the Exchange Management console from Outlook Web App.
Upon checking the membeship from ADUC console in the member of tab, I got this error pop up when clicking on the Organization Management group.
-------------------------- -
Active Directory Domain Services
-------------------------- -
There is no such object on the server.
-------------------------- -
OK
-------------------------- -
but the entry still exist on the Member Of tab.
Re-running the Setup.com /PrepareAD in the Schema Master role elevated command prompt still gives me the same error message.
I cannot see it under my Member Of tab. When I run the Exchange BPA, the wizard result reports that the group is empty.
However, I can still add myself into the group using the Exchange Management console from Outlook Web App.
Upon checking the membeship from ADUC console in the member of tab, I got this error pop up when clicking on the Organization Management group.
--------------------------
Active Directory Domain Services
--------------------------
There is no such object on the server.
--------------------------
OK
--------------------------
but the entry still exist on the Member Of tab.
Re-running the Setup.com /PrepareAD in the Schema Master role elevated command prompt still gives me the same error message.
ASKER
I'm not sure hot to check if my Exchange Server was setup as split permission or RBAC by my predecessor.
Is there any way to check it ?
DO I have to execute the service pack as the following command instead ?
Is there any way to check it ?
DO I have to execute the service pack as the following command instead ?
Setup.com /PrepareAD /ActiveDirectorySplitPermissions:True
I am assuming a search of AD doesn't turn up the Organization Management group either?
Check this article. Specifically the last section titled "Switch from Active Directory split permissions to shared permissions"
http://technet.microsoft.com/en-us/library/dd638146(v=exchg.150).aspx
To disable split-permissions you would actually toggle it to False.
Check this article. Specifically the last section titled "Switch from Active Directory split permissions to shared permissions"
http://technet.microsoft.com/en-us/library/dd638146(v=exchg.150).aspx
To disable split-permissions you would actually toggle it to False.
ASKER
search of AD doesn't turn up the Organization Management group either?
yes that is the case, I cannot find all of the following security group through the ADUC:
"Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"
but when I execute the powershell command below I can see them listed and associated with my user account and some groups.
Gareth,
My goal here is to allow SP3 installation to be applied in all Exchange 2010 servers, I don't want to mess around with the current security scheme because i don't know how to set it up and why it was setup before.
yes that is the case, I cannot find all of the following security group through the ADUC:
"Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"
but when I execute the powershell command below I can see them listed and associated with my user account and some groups.
[PS] C:\Windows\system32>get-rolegroupmem ber "organization management" | ft -AutoSize
Name RecipientType
---- -------------
Exchange Organization Administrators Group
Administrator UserMailbox
Alex Santana UserMailbox
Mail Security Service Account UserMailbox
John Henry UserMailbox
[PS] C:\Windows\system32>get-rolegroupmem ber "recipient management" | ft -AutoSize
Name RecipientType
---- -------------
Exchange Recipient Administrators Group
IT-Helpdesk-HeadOffice Group
[PS] C:\Windows\system32>
Gareth,
My goal here is to allow SP3 installation to be applied in all Exchange 2010 servers, I don't want to mess around with the current security scheme because i don't know how to set it up and why it was setup before.
I wonder if there is anything wrong with that DC perhaps. I noticed setup was hitting PRODDC1.
Maybe we could force setup to use another DC?
Can't remember if you can couple /PrepareAD with /DomainController switches.
Maybe we could force setup to use another DC?
Can't remember if you can couple /PrepareAD with /DomainController switches.
Better call MS.
One other random thought. Not sure what level your AD forest is at.
But those objects aren't in the AD Lost and Found / Recycle Bin are they?
But those objects aren't in the AD Lost and Found / Recycle Bin are they?
ASKER
Gareth, both Domain and Forest functional level is at Windows Server 2003
Somehow I cannot find the result after following this steps in http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
here's the view from the Lost & Found:
Somehow I cannot find the result after following this steps in http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
here's the view from the Lost & Found:
Yea I agree with Amit. I think this is a call to Microsoft.
ASKER
ok, I'm inclined towards doing the steps described here: http://www.itguydiaries.net/2012/07/omg-exchange-security-groups-were.html
I know that the error message is different but somehow I cannot find all of the Exchange builtin Security group that were supposed to be there.
so can I actually perform the steps described in the above web page and then continuing with the Setup.com /prepareAD without causing any email downtime or problem later on ?
I know that the error message is different but somehow I cannot find all of the Exchange builtin Security group that were supposed to be there.
so can I actually perform the steps described in the above web page and then continuing with the Setup.com /prepareAD without causing any email downtime or problem later on ?
Hmmm. I've seen these steps before. Never tried them though.
ASKER
yeah, that's the thing.
Because the error message in the ExchangeSetup.LOG is totally different from what you can see in the blog above.
But interestingly is that the author of the blog describes how to repopulate the builtin AD security group to continue with the SP installation.
My assumption is that during the Schema update /Extension in the Domain Controller, Exchange will still be working during business hours right ? please correct me if I'm wrong.
Because the error message in the ExchangeSetup.LOG is totally different from what you can see in the blog above.
But interestingly is that the author of the blog describes how to repopulate the builtin AD security group to continue with the SP installation.
My assumption is that during the Schema update /Extension in the Domain Controller, Exchange will still be working during business hours right ? please correct me if I'm wrong.
There is no downtime while you are running the schema updates.
ASKER
ok so in my case here I need some clarification. Does the normal working condition of Exchange server 2010 requires the following example of the built in security group to exist in AD ?
Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"
Regardless what the security mechanism that is used.
I got confused myself as to why I must recreate the simple AD security group through Setup.com package.
Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"
Regardless what the security mechanism that is used.
I got confused myself as to why I must recreate the simple AD security group through Setup.com package.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Gareth,
So in order to restore those missing groups is there any outage required to run those setup.com /prepareAD after clearing the corrupted ADSI edit entry ?
So in order to restore those missing groups is there any outage required to run those setup.com /prepareAD after clearing the corrupted ADSI edit entry ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks !
ASKER
ok, I just realized that my AD user account cannot see those builtin AD security group.
I can now see them using the DOMAIN\Administrator account.
That's very strange :-/ because my DOMAIN\Username is already member of the Schema and the Enterprise Administrator, but somehow it is showing the Security group as corrupted object,
I can now see them using the DOMAIN\Administrator account.
That's very strange :-/ because my DOMAIN\Username is already member of the Schema and the Enterprise Administrator, but somehow it is showing the Security group as corrupted object,
ASKER